Give /proc/iomem a more specific label.
/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.
Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f
diff --git a/file.te b/file.te
index 0e08a38..623bb8d 100644
--- a/file.te
+++ b/file.te
@@ -11,6 +11,7 @@
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type proc_cpuinfo, fs_type;
+type proc_iomem, fs_type;
type proc_net, fs_type;
type proc_sysrq, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 4b16ffc..c2c5bb7 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0